How cyber criminals hijack smart devices

Alan Burkitt-Gray
Published on:

If the communications industry takes too long to address security, cyber criminals will have time to start to take full advantage of a glaring weakness in their defences, writes Elad Ben-Meir

The internet of things (IoT), the internet of autonomous connected devices, has been utilised in a variety of scenarios. One such is to enhance the security in commercial premises of all kinds. Linking devices such as security cameras and digital entry systems in real time has so far safeguarded banks, boardrooms and every other type of office premises.

But those very devices are now at risk of being turned against building occupants. The recent Dyn distributed denial of service (DDoS) attack that hijacked an estimated 100,000 smart devices highlighted the vulnerability of such devices to a mass cyber attack.

What most people do not realise is that such devices can just as easily be hacked individually, enabling cyber criminals to target specific buildings and their occupants. A large city office occupied by a financial institution will, for example, use hundreds, possibly thousands, of devices ranging from security cameras to entry systems.

These are not always secured and most can, therefore, be hacked by organised criminals wanting to break into a bank's system to gain access to its cash or simply to carry out industrial espionage by spying on all the firm's activities, essentially opening up another (physical) attack vector for attacking a business.

Research carried out by cyber security company CyberInt and its partner, IoT security company SecuriThings, shows that surveillance and security devices also typically have weak default password protection and other vulnerabilities as some of these devices were never designed to resist a determined cyber attack

Corporate offices occupied by banks, legal firms, accountancy practices and others are wide open to many new forms of cyber attacks and cyber espionage. There is now a realm of unknown future attacks, some of which are currently already being planned by enterprising cyber criminals who are now only too aware of this newly emerging vulnerability in corporate security.

The most obvious form of non-distributed IoT attack would be to hack into security cameras for purposes of industrial espionage. For example, discreet mounted digital video and audio recorders are now routinely used inside office buildings, guarding inner sanctums such as boardrooms or research facilities. These devices can be hacked relatively easily, enabling criminals and business rivals from virtually anywhere in the world to steal business critical intelligence.

Spying on staff members can also be used to facilitate a socially engineered attack where vulnerable or disgruntled employees are targeted with a view to blackmailing, bribing or otherwise coercing them into giving the cyber criminals unauthorised access to sensitive corporate data.

It has long been the case that “insider” attacks of this nature are the soft underbelly of corporate security. Monitoring what takes place in offices and what conversations take behind closed doors would effectively put organised cyber criminals at the heart of an organisation they had targeted This could comprise critical business intelligence such as product designs, business strategies or provide the criminals access to customer accounts.

It is also possible to hack into entry systems and other connected security devices in order to gain access to premises housing data networks and computer terminals in order to make physical entry for the purpose of compromising the target organisation’s entire database.

It is clear that cities such as London house thousands, perhaps millions of smart devices which are increasingly being connected to the Internet and can therefore be harnessed in a mass DDoS attack, such as that suffered by Dyn, or targeted individually.

But what is not yet entirely clear is where the responsibility in securing these devices lies. Should this fall to the occupant or to the property company which provides the office infrastructure in the first place or to the makers and suppliers of smart security devices?

As yet, there is no legislation requiring the manufacturers of the rapidly growing number of smart devices to incorporate any type of cyber security features into their products and property developers and buildings are still largely ignorant of the danger.

If the communications industry takes too long to address this question, cyber criminals will have time to start to take full advantage of what is now a glaring weakness in their security defences.

Nor does the hacker have to be particularly skilled as the kind of software needed to hijack smart devices is now widely available online. The Dyn attack, for instance, used a well-known malware called Mirai, which is Japanese for “the future”.

Companies which do not wish to have their sensitive customer information hijacked, their product designs and business strategies stolen or their bank accounts emptied should lose little time in extending cyber security well beyond its traditional perimeters to include the vast number of connected devices which now sit unprotected and vulnerable to all types of cyber attack.

Elad Ben Meir is VP of marketing at cyber security firm CyberInt